The Fundraising Regulator has called for an urgent amendment to the Information Commissioner’s Office draft guidance on consent under the General Data Protection Regulation, and has warned that the document risked contradicting previous advice.
The regulator also called for the guidance, which outlines the requirements for all businesses and charities under EU GDPR legislation, due to come into force in May 2018, to refer to the charity sector and not just the private sector at key points in the guidance.
In its response to the ICO’s consultation on the draft guidance, which ran throughout March, the Fundraising Regulator said the ICO needed to act quickly to amend errors that overstated the scope of the Fundraising Preference Service.
In its current form, the draft guidance says that if an individual wants to stop receiving charity marketing, "they can use the FPS to withdraw consent from all charities at once".
But in its consultation response, the regulator said: "The new service will not allow individuals to use the FPS to ‘withdraw consent from all charities at once’. It will allow individuals to withdraw consent from specific charities that they name."
It said there should be an "urgent amendment" to the guidance to ensure it reflects this.
The guidance emphasises that consent requires people to opt in, and says "there is no such thing as opt-out consent". But the Fundraising Regulator pointed to the ICO’s pre-GDPR drect marketing guidance of May 2016, which referred to "positive action" rather than "positive opt-in" and explicitly provided some limited examples where opt-out consent could be legitimate under pre-GDPR regulations.
The regulator said: "While we appreciate and support the need for stronger wording in the new guidance under the stricter GDPR, we would advocate that a statement is provided acknowledging a change in language used and contextualising this, to avoid the risk of being seen to contradict previous guidance."
This could be as simple as adding a line explaining that opt-out consent does not exist under the GDPR, the response said.
The Fundraising Regulator also joined others in the sector that have called for the ICO to be clearer about the condition in the GDPR allowing data to be processed without consent when an organisation has a "legitimate interest" in doing so.
Specifically, the regulator said the ICO should make it clear that, although consent was important, it was only one of the conditions that could be used to demonstrate the charity was processing data lawfully and the guidance should make it clear that it was not only private sector companies that could use legitimate interest as an alternative to consent.
The response said that although the GDPR does not specify a time limit for how long consent lasts, the guidance should highlight that the Data Protection Act says clearly that consent cannot be taken to last forever.
If you’re interested in fundraising, you can’t miss Third Sector’s Annual Fundraising Conference on 23 and 24 May. Click here for more information and how to book